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Abstract. The formal group law of an elliptic curve has seen recent 
applications to computational algebraic geometry in the work of Cou- 
veignes to compute the order of an elliptic curve over finite fields of 
small characteristic ([2], [6]). The purpose of this paper is to explain in 
an elementary way how to associate a formal group law to an elliptic 
curve and to expand on some theorems of Couveignes. In addition, the 
paper serves as background for [1]. We treat curves defined over arbi- 
trary fields, including fields of characteristic two or three. The author 
wishes to thank Al Laing for a careful reading of an earlier version of the 
manuscript and for many useful suggestions. 



1 Definition and construction of formal group laws 

Let R be a commutative ring with a multiplicative identity 1 and let i?[[A]] 
denote the ring of formal power series of R. In general it is not possible to 
compose two power series in a meaningful way. For example, if we tried to form 
the composition fog with / = 1 + r + r 2 + r 3 + • • • and g = 1 + r we would get 

/ o g = 1 + (1 + r) + (1 + r) 2 + (1 + r) 3 + • • • 

The constant term is 1 + 1 + 1 + • ■ ■ , which makes no sense. But there are some 
cases where fog does make sense, namely when / is a polynomial or when the 
constant term of g is zero. Let i?[[A, Y]] — R[[X]][[Y]], the ring of formal power 
series in two variables. If F e i?[[A, Y]] and g, h £ tR[[t]] then 

F(g, h) makes sense and belongs to 

If in addition F has a zero constant term, then F(g, h) <G tR[[t]]. 

A one dimensional (commutative) formal group law over R is a power 
series F E R[[X,Y}] with zero constant term such that the "addition" rule on 
ri?[[r]] given by 

g® F h = F(g,h) 

makes t_R[[t]] into an abelian group with identity 0. In other words, for every g, h 
we must have (/ ®f g) ®f h = f (Bf (g (Bf h) (associative law) , / (Bp g — g®F f 
(commutative law), / (Bp = / (0 is identity), and for each / € i"i?[[r]] there 
exists g £ tR[[t]] such that / (Bf g = (inverses). Denote this group by C(F). 
An equivalent and more widely known definition is the following: a formal group 



law over R is a power series F(X, Y) e R[[X, Y}] such that 

(i) F(X, 0) = X; (Additive Identity) 

(it) F(X,Y) = F(Y,X) (Commutative Law) (1.1) 

(tit) F(F(X, Y),Z)= F(X, F(Y, Z)) (Associative Law). 

The first property implies that F has the form X + YH(X, Y). By symmetry 
in X and Y, it must therefore be of the form 

F(X, Y) = X + Y + XYG(X, Y), G G R[[X,Y]}. (1.2) 

Proposition 1.1 Let F be a power series in two variables with coefficients in 
R such that F(0,0) = 0. The following are equivalent. 

(1) The three conditions in (1.1) hold; 

(2) The binary operation on tR\\t\] defined by f (Bf g = F(f,g) makes tR[[t]] 
into an abelian group with identity 0; 

(3) The binary operation on tR[[t]] defined by f (Bf g = F(f,g) makes tR[[t]] 
into an abelian semigroup with identity 0. 

Proof. We will show (1) (2) =^> (3) =^> (1). Assume (1) holds. Define a binary 
operation on ri?[[r]] by f (Bf g — F(f,g) for /, g e ri?[[r]]. The three conditions 
immediately imply /0fO = /, /©f# = 9®f), and (f@Fg)@Fh = f@F{g@Fh) 
for /,g,/ie ri?[[r]]. It remains only to prove the existence of inverses. For this, it 
suffices to prove there is a power series i € ri?[[r]] such that F(g,iog) = for all 
g G tR[[t]}. Let <,W = -r. By (1.2) F(t,l^) = t - t = mod t 2 . Now assume 
inductively that G tR[[t]\ satisfies F(t,iW) = mod t n+1 and i,W = 

L (N-1) mod T N^ Thcn thcrc ig a e R guch that F j Tjt (iV)j = flT W+l mod T N+2^ 

Let t^ 1 ) = t W - ar N+1 . By (1.2) 

F(S N \ ~ar N+1 ) = t W - ar^ 1 = mod t n + 2 . 

Thus 

F(t, ^ n +V) = F(t, F(^ N \-ar N+1 )) = F(F(r, t W), -ar N+1 ) 
= F(r, t W) - ar^ 1 = mod r^ 2 . 

This completes the induction. Let l e T"i?[[r]] be the power series such that 
l = <,W mod t n+1 for all AT. Then F(r, i(r)) = 0, and hence F(<c, t(x)) = for 
all x G ri?[[r]]. This proves (1) (2). It is obvious that (2) (3). 

Now assume (3) holds. We will prove condition (Hi) of (1.1) holds; the other 
conditions in (1.1) can be proved similarly. Let G(X,Y,Z) = F(F(X,Y),Z) — 
F(X, F(Y, Zj). We must show G = 0. By hypothesis, if a, b, c are any positive 
integers then 

G{T a ,T b , T°) = (T a ®F T b ) ©F T C - T a ffi F (t & ® F T°) = 



as an element of J?[[r]]. We must show that every coefficient of G is zero. Write 



G= 9vkX l Y^Z k . 

i,j,k>0 

Since the Nth coefficient of G(r a , t 6 , t c ) is zero we have 

E 9iik = (1.3) 

{i,j,feeZ> | (o,6,c)-(*,j,fc)=JV} 

for all positive integers a, 6, c, N. We need to show each g^ = 0. Suppose not. 
Among all k for which g^ is nonzero, consider those for which N\ = i+j + k 
is minimal. Among all i 7 j, k with g%j\z ^ and i+j + k = Ai , consider those for 
which N2 = i+j is minimal. Finally, among all k with g^ 7^ 0, i+j + k = N\, 
and i+j = N2 select the one for which A3 = i is minimal. Call this triple 
(io,jo, fco); that is, i + j + k = Ai, i + j = A 2 , i = A 3 . Choose integers 
M 1 ,M 2 ,M 3 such that 

M 3 > 1, M 2 > M3A3, Mi > M 2 A 2 + M3A3. 

Let 

(a, 6, c) = (Mi + M 2 + M 3 , Mj + M 2 , Mi), A = Mi Ai + M 2 A 2 + M 3 A 3 . 
We will obtain a contradiction by showing that 

g ^ k = 9i a ., 3a M + 0. (1.4) 

{!J,fceZ>„ I (a,b,c)-(i,j,k)=N} 

Suppose gijh ^ and (a, b, c) • (i, j, k) — A. The equality can be written 

Mi(t + j + fc) + M 2 (i + j) + M 3 i = A. (1.5) 

Now i+ j + k > Ai by the minimality of Ai. Strict inequality cannot hold, since 
otherwise 

A = Mj (i + j + k) + M 2 (i +j)+ M 3 i 

> Mi(Ai + 1) > M1A1 + M 2 A 2 + M3A3 = A. 

Thus i + j + k = Ai . By minimality of A 2 we know i+j > A 2 . Again strict 
inequality cannot hold, since otherwise 

N = M 1 (i+j + k)+ M 2 (i + j) + M 3 i 

> MiAj +M 2 (A 2 + 1) 

> Mi Ai + M 2 A 2 + M3A3 = A. 

Thus i+j = A 2 . Now the equality (1.5) shows i — A3. This establishes (1.4) 
and completes the proof. □ 
The following proposition gives a general method to construct formal group 
laws. 

Proposition 1.2 Let G be an abelian group, 0g its identity element, and write its 
multiplication law additively. Suppose there is a one-to-one map T : ri?[[r]] — ► G 



such that T(0) = Oq, and a power series F G R[[X 7 Y}] with zero constant term 
such that 

T(g)+T(h)=T(F(g,h)) (1.6) 
for all g, h G ri?[[r]]. Then F defines a formal group law. 

Some easy examples of the above proposition are: (1) G = R[[t]] under 
addition, T = inclusion, F(X, Y) = X + Y (called the additive group law), 
and (2) G = R[[t]] x under multiplication, T(g) = 1 + 5, F(X, Y) = X + 
Y + XY (called the multiplicative group law). A less trivial example is the 
construction of the group law associated to an elliptic curve, which will be given 
in §4. 

Proof of Proposition 1.2:. The hypothesis is that there is an injective map T 
from t.R[[t]] into an abelian group G such that T(0) = Og, and there is a power 
series F(X, Y) with zero constant term such that 

T(g)+T(h)=T(F(g,h)) 

for all g,h € r_R[[r]]. We need to show that F gives an abelian group law on 
ri?[[r]]. By Prop. 1.1, it suffices to show F makes ri?[[r]] into an abelian semi- 
group with identity 0; that is, if f,g,h£ tR[[t]] then 

/ ®f (g ©f h) = (/ ©f g)@ F h, f ® F g = g ©f /, / ©f = /. 

Now T(/8f (g® F h))=T(f)+T(g® F h)=T(f)+T(g)+T(h) and similarly 
T({f®F g)®Fh)= T{f) + T(g) + T(h). This proves the first identity, since T 
is one-to-one. The other two identities are proved similarly. □ 



2 Homomorphisms of formal group laws 

If F is a formal group law then write C(F) for the group it determines. That is, 
C(F) — tR[[t]] as a set, and the group law is given by #©f h = F(g, h). If F, F' 
are two formal group laws then a homomorphism from F to F' is defined as a 
power series U(t) e t_R[[t]] with zero constant term such that g i— » U(g) defines 
a homomorphism from C{F) into C(F'). Explicitly, 

U o (x ®F y) = (U o x) © pi (U o y) 

for all t.R[[t]]. In terms of power series this can be written 

U(F(X,Y)) = F'(U(X),U(Y)). (2.1) 

The reason that U has zero constant term is that U must take ri?[[r]] into itself. 
An example of a homomorphism from F to itself is the multiplication by n map, 
denoted [n] or [n]p, which is defined by the rules: 

[0] = 0, [l]=r, [n+l]r= [n}T® F T = F([n}T,T) if n > 0, 
[n] = jo [— n] if n < 0. 



Let G\, G 2 be abelian groups, and let Tj : ri?[[r]] — > Gi (i = 1, 2) be one-to- 
one maps such that Tj(0) is the identity element of Gi. Let Fj be power series 
with zero constant term such that 

T i (g)® Gi T i (h)=T i (g® Fi h), i = l,2, 

where ®G; denotes addition on the group Gi and g0F; ft = Fi{g, ft)- We showed 
that Fi is a formal group law, and the above equation simply states that T; is a 
group homomorphism from C(Fi) into Gi. 

Lemma 2.1 Let Gi,Ti,Fi 7 C(Fi) be as above. Suppose there is a group homo- 
morphism ip : G\ — > Gi and a power series U with zero constant term such 
that 

i>(T 1 (g))=T 2 (U(g)) (2.3) 

for all g € t_R[[t]]. Then U is a homomorphism between the formal group laws 
defined by F\ and F 2 . 

Proof. It suffices to show that U is a homomorphism from C(F\) to C(F 2 ). By 
hypothesis there is a commutative diagram 



Ti 



G l 



U 



C(F 2 ) 



T 2 



G 2 



Here T\,T 2 ,ip are homomorphisms and Ti, T 2 arc injcctivc. It follows by diagram 
chasing that U is a homomorphism, as claimed. □ 
As a special case, let G x = G 2 = G, Ti = T 2 = T, Ti = F 2 = F, and 
ip{g) = where n G Z. Then J7 = [n], which was defined by (2.2). The power 
series for [n] may either be computed from the recursion (2.2) or from the formula 
(2.3), which in this context reads 

nT(g)=T([n}(g)) for g e tR[[t]}. (2.4) 

For the additive formal group law we have T = inclusion of ri?[[r]] into R[[t]] 
and the formula reads ng = [n](g). So in that case, 

[n](r) = nr (Additive Formal Group) 

For the multiplicative formal group law we have G = R[[t]] x and T(g) = 1 + g, 
so the formula reads (1 + g) n = 1 + [«](#)• In the special case where n = p = the 
characteristic of R with p > we have (1 + g)' p = 1 + g p , and therefore 

[p](r) = t p (Multiplicative Formal Group in Char. p). 



3 Height 



If R has characteristic p then the height of a homomorphism U, written 
ht(£7), is the largest integer h such that U(t) = V(t p ) for some power series 
V, or oo if U = 0. The height of the formal group law is defined as the 
height of the homomorphism [p]. For the additive formal group law defined by 
F(X,Y) = X + Y we have [p](r) = pr = 0, so the height of F is oo. For 
the multiplicative formal group law given by F(X, Y) = X + Y + XY we have 
[p](t) = t p , therefore the multiplicative formal group law has height one. 



Example 3.1 Let F = ^2 fijX t Y : > be a formal group law over an integral 
domain R of characteristic p > 0. Let = £ ffjX*Y^ . We claim that is 
a formal group law, and <f> = t p is a homomorphism (evidently of height 1) from 
F to fW. For the first assertion, replace X,Y,Z by X 1 ^, Y x l p , Z 1 /' p in the 
relation (1.1) then take the pth power. This yields the corresponding relations 
for F( p \ For the second assertion, note that 

F^(<f>{X),^Y)) = F(X,Yf = <j>{F{X,Y)). 
Observe that cp k : F -» F^*). □ 



Proposition 3.2 Let Fi,F% be formal group laws over an integral domain R 
of characteristic p. Let U(t) — J2 u i rl be a homomorphism from F\ to F2 of 
height k. Then the first nonzero coefficient of U is u p k . Moreover, there is a 

homomorphism V : — > F 2 such that U = V o <f> K . 

Proof. If k = then Uj =/= for some j which is prime to p, therefore 
U'(t) = J2m mUmTm l 1S nonz ero. Differentiate the equation U(F\(X,Y)) = 
F 2 (U(X), U(Y)) with respect to Y and then set Y = 0. We obtain 

U'(Fi(X,0))-^r(X,0) = -^(U(X),U(0)) u'(o). 

Since F^X, Y) = X + Y + XYG t (X, Y) for i = 1,2, this becomes 

U'{X)(1 + XG 1 (X,0)) = (l + U(X)G 2 (U(X),0)) Ul . 

The left side is nonzero, therefore U\ 7^ 0. 

Now let k > 1 and set q = p k . By definition of height, there is a power 
series V(t) G ri?[[r]] such that U(t) = V(r q ). Now V' is nonzero, since oth- 
erwise V would be a function of t p , so that q could be replaced by pq. We 
claim V is a homomorphism from to F 2 . We have to show V^-F^ (X, Y)) = 
F 2 (V(X),V(Y)). The left side is V{F 1 {X 1 ^, F 1 /?)?) = U(F 1 (X 1 /«,Y 1 /«)). The 
right side is F 2 (U{X 1 / q ),U{Y 1 / q )). These two are equal because U is a homo- 
morphism from Fx to F 2 . Since V ^ 0, V has height zero. It follows from the 
case k = that the first coefficient of V is nonzero. Thus the coefficient of r q in 
U is nonzero. □ 



Proposition 3.3 Let F, F', F" be formal group laws over an integral domain R 
of characteristic p . In parts (a), (b), (d) and (e) assume p > 0. 

(a) IfU :F^> F', and V : F' —> F" , then ht(V o U) = ht(V) + ht(U). 

(b) If there is a nonzero homomorphism U from F to F' then F and F' have 
the same height. 

(c) For neZ, [n] F = nr + r 2 (- • •). 

(d) Every formal group F over a ring of characteristic p has height at least one. 

(e) If n — ap l with (a,p) = 1 then ht([n] F ) = t ht(F). 

Proof, (a) Define the degree of a nonzero power series o-iT 1 to be the smallest 
i such that cij ^ 0. Prop. 3.2 asserts that if U is a nonzero homomorphism of 
formal group laws then deg(U) = p ht ( u \ The degrees of power series multiply 
when they are composed, therefore p^ VoU ) = p ^(v) p H(u) = p ht(v)+ht(U) _ ^ 
Certainly \p] F i o U = U o [p] F , so [p] F and [p]f< have the same height by (a), 
(c) can easily be shown by induction, using (2.2). (d) is immediate from (c) and 
Prop. 3.2. (e) ht([n]_p) = ht([a]_p) +t ht([p] F ) by (a). The height of [a] F is zero 
by (c), and ht([p] f ) = ht(F) by definition. □ 
If F, F' are formal group laws over an integral domain R and U\ , U2 : F — > F' , 
define U\ (Bf 1 U2 = F' (Ui^U^). U\ ®f> U2 is a homomorphism from F to F' . 
This composition rule makes Hom(F, F') into an abelian group. In particular, it 
is a Z-module. Suppose that R has characteristic p > 0. We put a topology on 
Hom(F, F') by decreeing that U and V are close iff U Qf' V has a large height. 
In other words, the topology on Hom(F, F') is induced from the height metric 
\U\ — c ht(u \ where < c < 1. □ 

Proposition 3.4 Let F, F' be formal groups over an integral domain R of char- 
acteristic p > 0. 

(a) ht(t/i ® F , U 2 ) > inf{ht(J7i),ht(J7 2 )}. //ht(C/i) < ht(C/ 2 ) then ht{U x ® F , 
U2) = ht(Ui). Hence, the height metric is nonarchimedean. 

(b) The map ZxHom(F, F') — > Rom(F, F') given by (n, U) [n} F '°U is contin- 
uous with respect to thep-adic metric on Z and the height metric on Hom(F, F'). 
Hence, Hom{F,F') is naturally a Z p -module. 

(c) If ht{F) < 00 then Hom(F,F') is a faithful Z p -module. 

Proof, (a) Write F'(X,Y) = X + Y + XYG'(X,Y). Then Ui @ F , U 2 = 
F'{U U U 2 ) = U 1 +U 2 + U 1 U 2 G'(U 1 , U 2 ). Part (a) is therefore true when the word 
"degree" is substituted for the word "height". Since ht(L^) = log p (deg(t/j)), 
(a) follows, (b) We must show that if n = m + ap l with t large and if 
U, V <E Rom(F, F') are close then n ■ U is close to m ■ V. But 

n- U Q F > m-V = [n] F > ° (U Q F ' V) ® F > [ap*] F > V. 

The height of [n] F > ° (U Q F > V) is > ht(U Q F > V). The height of [ap^p' ° V is 
> t. Both these heights are large, so the height of the sum is large by (a), (c) 
We must show that if a e Z p and ^ U e Hom(F, F') then a ■ U = iff a = 0. 
Write a = p k b, where b e Z* . We have a ■ U = [p k ] o b ■ U. Certainly b ■ U ^ 0, 



since b is invertible, and [p k ] is nonzero since it has finite height. Thus a ■ U is 
the composition of two nonzero formal power series over R, and since R is an 
integral domain, this composition is nonzero. □ 
It is a theorem of M. Lazard ([3], [4]) that if R is a separably closed field of 
characteristic p then two formal group laws F, F' defined over R are isomorphic 
iff they have the same height; this gives a partial converse to Prop. 3.3(b). We 
will sec that the height of the formal group law associated to an elliptic curve E 
defined over a field R of characteristic p is one or two according as E is ordinary 
or supcrsingular. Thus Lazard's Theorem implies that the formal group laws 
of any two ordinary elliptic curves (or any two supersingular elliptic curves) are 
isomorphic over the algebraic closure of R. On the other hand, the condition that 
two elliptic curves over R be isomorphic is much more restrictive (the two curves 
must have the same j-invariant; see [7], p. 47-50) This means that isomorphisms 
of formal group laws are far more abundant than isomorphisms of elliptic curves. 



4 Constructing the formal group law of an elliptic curve 

Let E be an elliptic curve over a field K determined by a nonsingular Weierstrass 
equation 

W(X,Y,Z) = Y 2 Z + ai XYZ + a 3 YZ 2 -(X 3 + a 2 X 2 Z + a 4 XZ 2 + a 6 Z 3 ), (4.1) 

ai e K. Let L be the quotient field of if [[t]]. Since K C £, we can consider 
the points in E(L). Let R be a subring of K (possibly R = K) containing 1 
and all the Weierstrass coefficients a*. We will construct a formal group law by 
embedding ri?[[r]] into E{L) and "stealing" the group law from E(L). 

Consider points of the form (t,—l, s) in E(K). Then t can be regarded as 
the function — X/Y € K(E), where K(E) denotes the function field of E over 
K, and t is a uniformizer at the identity O = (0, 1,0). Also s can be regarded 
as the function —Z/Y, and s has a triple zero at O. Let fl be the ring of 
functions in K(E) which are defined at O and M the ideal of functions in Q 
which vanish at O. Then M is principal, generated by t, and Q/M = K by the 
map f + M i ► f(0). fl has a metric induced by M, namely |/| = c™, where 
< c < 1 and n is the largest integer such that / € M n . The uniformizer t 
determines an isometry & : £2 — > if [[r]] (where -K"[[t]] has the r-adic topology) 
as follows: / i— ► aiT% (where at € K) iff for each N, f — J2iLo e M N+1 . 

The image of \P is dense in if [[t]], since it contains all polynomials. 

Let S(t) = V(s) = Y°°=z s i T *- We wiU P rovc below that if / e tR [M} thcn 
(/, -1, S(f)) € E(L), so there is an embedding T : tR[[t\] -» E(L) given by 

T(f) = (f,-l,S(f)). (4.2) 

The formal group law of E will be the power series F G T"i?[[r]] such that 
T(g) + T(h) = T(F(g,h)). All we need to do is to prove this power series F 
exists; it will automatically be a formal group law because of Prop. 1.2. 



By dividing through the Weierstrass equation by Y 3 we see that s and t 
satisfy the equation 

s = t s + a x ts + a 2 t 2 s + a 3 s 2 + a 4 ts 2 + a 6 s 3 . (4.3) 

The series S can be computed by recursively substituting approximations for s 
into the right hand side of (4.3) and expanding to get improved approximations. 
We start with the approximation s = 0(t 3 ) to obtain 

s = t 3 + ai tO(t 3 ) + a 2 t 2 0{t 3 ) + a 3 (0(t 3 )) 2 + a A t{0(t 3 )) 2 + a 6 (0(t 3 )) 3 
= t 3 + 0{t i ). 

On the next round substitute t 3 + 0(t 4 ) for s in the right side of the equation 
to obtain s = t 3 + ait 4 + 0(t 5 ). This procedure yields the general rule: 

s = si = s 2 = 0, s 3 = 1, and if n > 4 then 
s n = ais„_i+a2S„_2+<X3 ^ SiSj+a 4 ^ SiSj+ae ^ SiS^Sk- (4.4) 

i+j=n i+j=n—l i+j+k=n 

Lemma 4.1 Let W be the Weierstrass equation (4-1), where «, e B and R 
is an integral domain. Let Si € R be defined by the recursion (4-4) an d let 
S = E s » t4 e tR[[t}}. Then W(t,-1,S) = in R[[t]]. If f,g G tR[[t}} and 
W(f,-l,g) = 0theng = Sof. 

Remark. Since the Weierstrass equation is cubic in the variable Z, it follows 
that for fixed / G tR[[t\], the equation W(f, — l,g) — has three solutions for 
g in the algebraic closure of the quotient field of The lemma asserts that 

exactly one of these solutions lies in t_R[[t]]. 

Proof. Let K be the quotient ring of R and let E be the elliptic curve over K 
with equation W. Let t = -X/Y, s = -Z/Y e K(E), and !f : J? K[[t]] be 
as described in the beginning of this section. Then %p{t) = r, &(s) = S. Now 
W(t,-l,s) = 0, so 

= ${W{t,-l,s)) = W(T,-l,S). 

/,From this it follows that W(f, -1, So /) = for any / e tK[[t}}. 

Now suppose f,ge tR[[t}} and W(f, -1, .g) = 0. Let ft = 5 o /. Then 

= W(f,-l,h)-W(f,-l,g) 
= {g-h) (-1 + 01/ + a 2 / 2 + a 3 (5 + ft) + 04/(5 + ^ + ae(.9 2 + .9^ + /i 2 )) • 

Since —1 + a± f + • • • is a unit in J?[[r]], g — ft must be zero. □ 
The above lemma establishes that the map T : tK[[t]] — > is well- 

defined, furthermore it is obviously one-to-one. Recall Prop. 1.2, which guaran- 
tees that if we can find a power series F in two variables with the properties that 



F(0,0) = and T(f) + T(g) = T(F(f,g)) then F will be a formal group law. 
We now show such an F can be found. First we need to know addition formulas 
for points of the form (ti, — 1, s\). Such formulas are provided below. 



Proposition 4.2 Let Pi = (ti, — 1, Sj) for i = 1, 2 &e points on the elliptic curve 
with Weierstrass equation (4-.1). 

(a) Suppose t\ ^ and Zet m = s\/t\. If 1 + a 2 m + a^m 2 + a 6 m 3 7^ then 

-P. = ( ^ , -1, ^— ^ ) • (4.5) 

\ 1 - aih - a 3 si 1 - a x ti - a 3 si J 

(b) Suppose t\ 7^ t2 and let m = (si — s 2 )/(ti — t 2 ), = si — mt\, A = 
1 + 02m + a^ra 2 + a^m 3 . If A 7^ t/ien 

Pi+P2 = -(t 3 ,-l,mt 3 + b), 

aim + a 2 b + a 3 m 2 + 2a^mb + 3aem 2 b . 
t 3 = -h-t 2 -. . (4.6) 



Proof, (b) P\,P 2 lie on the line mX - bY - Z = 0. Let P 3 be the third point 
of intersection of this line with the elliptic curve. Write P 3 = (x 3 ,y 3 ,z 3 ). If 
y 3 = then P 3 = (1,0, m). From the Weierstrass equation (4.1), 1 + + 
04m 2 + asm 3 = 0, contrary to the hypothesis. Thus y 3 7^ 0, and hence P 3 can be 
written P 3 = (t 3 , — l,mt 3 + b). Likewise Pi = (ti, — 1, rati + b) for i = 1, 2. When 
(f, — 1, mi + 6) is substituted for (X, Y~, Z) in the Weierstrass equation, the result 
must be of the form A(t — t\)(t — t 2 )(t — t 3 ) with A 7^ 0. Hence 

-{rat + b) + a Y t(mt + b) + a 3 {rat + b) 2 + t 3 + a 2 t 2 {rat + b) + a A t(mt + b) 2 
+ 06 (mi + b) 3 = A(t - tx)(t - t 2 )(i - t 3 ). 

The left side is of the form 

(1 + a 2 ra + a^m 2 + a 6 ra 3 )t 3 + (aim + a 3 m 2 + a 2 b + 2a^mb + 3a 6 m 2 b)t 2 
+ (...)*+(■■■) 

and the right side is of the form At 3 - A(ti + t 2 + t 3 )t 2 + ■ ■ ■. Now (b) follows 
immediately. 

(a) Let P 2 = (0,1,0), m = s\/t\, A = 1 + 02m + 04m 2 + a$m 3 . Since 
A ^ 0, (b) implies that P ± + (0,1,0) + (t 3 ,-l,mi 3 ) = (0,1,0), where t 3 = 
-ii — (aim + a 3 m 2 ) / A. Thus -Pi = (t 3 ,-l,mt 3 ). Now 

t\A = t\ + a 2 t\si + a^tis 2 + a 6 s 3 = Si — aitiSi — a 3 s\, 

thus 

aim + a 3 m 2 — ti(t\A) — (ait\si + a 3 iis 2 ) 

h = ~ h A = 4A 

-hsi -ti 

si — aitisi — a 3 s\ 1 — aiti — a 3 si 



□ 



Theorem 4.3 There is a power series F(ti,t 2 ) € R[[X, Y]} with zero constant 
term such that for f, g <G ri?[[r]] ; 

T(f)+T(g) = T(F(f,g)). (4.7) 

Therefore F is a formal group law. 

Proof. Consider Prop. 4.2, but treat £i, £2 as indeterminates and substitute S(ti), 
S(t 2 ) for si, s 2 . In other words, we are working over the field L' = the quotient 
field of i?[[£i, £ 2 ]]. We need to show £3 of equation (4.6) is a power series in £1, £2. 
Let M be the ideal of R[[h, t 2 ]] generated by £1 and t 2 . That is, M is the set of 
elements [i € R[[ti, t 2 }] for which fi(0, 0) = 0. If fi £ M and u is a unit of R then 
u + \i is a unit in i?[[£i, £2]]- Now 

S(h) - S(t 2 ) = gjfti - 4) 
m ii - £2 £1 - £2 

00 

= n *<(*i _1 + *i~ 2 *2 + • • • + *i4 _1 + 4 _1 ) 

i=3 

so m belongs to M 2 . Then A = 1 + a 2 m + a 4 m 2 + a 6 m 3 is a unit in i?[[£i, £2]], 
since A is the sum of a unit in R and an element of M . In particular, 4^0, 
so Prop. 4.2(b) applies. Also b = S(tt) - mt 1 e M 3 . Now (4.6) shows that 
£3 G M. Thus we can write £3 = G(£i,£ 2 ), G G M. Certainly £ 3 7^ 0, because 
G = -£1 - £ 2 mod M 2 . We have (£1, -1, S(£i)) + (£ 2 , -1, S(t 2 )) = -(£ 3 ,-l,s 3 ) 
in S(L'), where s 3 = m£ 3 + 6 e Af 3 . By Prop. 4.2(a), the right side is 

-£3 -s 3 



1 - ai£ 3 - a 3 s 3 1 - ai£ 3 - a 3 s 3 



Let 



F(ti,*2) = ^ 7^ eM, H(t 1 ,t 2 ) = - eAf 3 . 

1 - ai£ 3 - a 3 s 3 1 - ai£ 3 - a 3 s 3 

If we substitute £1 = /(r), £2 = g(r) for /, 5 e we get a homomorphism 

-R[[£i,£2]] — * R[[ T ]], which induces a homomorphism E(L') — » E{L). It follows 
that 

(/, -1, S(/)) + (. 9 ,-l, = (F(.f, .9), -1, H(f, g)). 

By Lemma 4.1 H(f,g) = S(F(f,g)). This proves (4.7). The fact that F is a 
formal group law follows from Prop. 1.2. □ 
The first few terms of F are: 

F{X, Y)=X + Y - ai XY - a 2 {X 2 Y + XY 2 ) 

- (2a 3 X 3 Y + (3a 3 - a x a 2 )X 2 Y 2 + 2a 3 XY 3 ) + ■■■ 



5 Homomorphisms of formal group laws arising from 
isogenies 

Lot E, E' be two elliptic curves denned over the same field K. An algebraic 
map from E to E' is a function a : E(K) — > E'(K) such that for each P e E 
there exist homogeneous polynomials /i,/2,/3 of the same degree and not all 
vanishing at P such that for all but finitely many Q e E(K), 

a(Q) = (fi(Q)J 2 (Q),fs(Q))- 

An example of an algebraic map from E to itself is the translation by P map 
rp(Q) = P + Q for P, Q e £. The algebraic map is said to be defined over 
a field if if E, E' are defined over K and if all the coefficients of /i, /2, /3 can 
be chosen to belong to K. It is a theorem ([7], p. 75) that every nonconstant 
algebraic map from E into E' which takes the origin to the origin is a group 
homomorphism. Such an algebraic map is called an isogeny. If t : E — > E' and 
— Q = t(0, 1,0) G E' then tq o t takes the origin of £7 into the origin of £". 
Thus every nonconstant algebraic map is the composition of an isogeny with a 
translation. Two curves E, E' are called isogenous over K if there exists an 
isogeny defined over K from E into E'. The endomorphism ring of E, written 
EndK(E), is the set of isogenies over K from E to itself, together with the 
constant zero map, with the addition and multiplication laws: 

(a + l3)(P) = a(P)+ I3(P), a(3 = ao(3. 

Note that Z C Endif (E). If K is the finite field with q elements then the Frobe- 
nius endomorphism <p q is defined by <p q (X, Y, Z) = (A 9 , Y q ,Z q ). Since tp q co- 
incides with the Galois action, it commutes with any endomorphism of E which 
is defined over K. In particular, ip q commutes with Z. 

We claim that an isogeny of elliptic curves over K gives rise to a homomor- 
phism of the corresponding formal group laws over K. Indeed, let 

/(A, Y, Z) = (A (A, Y, Z), / 2 (A, Y, Z), f 3 (X, Y, Zj) 

be an isogeny between elliptic curves E, E' over K . Here /i, /2, fd, are homoge- 
neous polynomials of the same degree, say d, and /i, /2, fz do not simultaneously 
vanish at the origin. Since the origin of E is carried to the origin of E', f\ and 
f 3 vanish at O = (0, 1,0) but f 2 (0) ^ 0. Thus f 1 /Y d e M and f 2 /Y d e [2 X . 
Now h/Y d = h{X/Y,l,Z/Y) = f x (-t,\,-s) = (-l) d /i(i,-l,s) G M and 
similarly f 2 /Y d = (-l) d f 2 (t, -l,s) e /? x . Thus 

A (A, r, z)// 2 (A, y, z) = h(t, - l, «)// 2 (t, — l, s) e m. 

Let U(t) = u i T% denote the expansion of /i// 2 with respect to t. Practi- 

cally speaking, U can be obtained by expanding s as a power series S and then 
computing 

/i(r,-l,5(r))//2(r,-l,S(r)) 



in the ring -K"[[r]]. Note that / 2 (t, — 1, S{t)) is invertible since its constant term 
is nonzero. 



Proposition 5.1 Let E, E', E" be elliptic curves over K and let F, F', F" denote 
the associated formal group laws over K . If I : E —* E' is an isogeny then 
the power series U constructed above belongs to Hom(F, F'). The map I ^> U 
is a one-to-one group homomorphism from lsog(E, E') <^-> Hom(F, F'). If I' : 
E' — > E" and I' corresponds to U' G Hom(7" ,F") then I' o I corresponds to 
U'oUe Hom(F,F"). 

Proof. Let 7 be the quotient field of 7sT[[t]]. Since 7 is defined over K, it is a 
priori defined over L. The discussion above shows that I can be written in a 
neighborhood of the origin as 

\J2(*,-1,S) / 2 (t,-l,s) 

Let T : tK[[t]] -» £(7) and T' : tK[[t}} -» £'(7) be the embeddings (4.2). 
Substitute (-X",Y,Z) -> T(/) = (f,-l,S(f)) G £(7), where / G tK[[t}}. Then 
f = -X/Y changes to f and s = -Z/Y changes to S o /. Thus 7(T(/)) = 
where f/(r) = h(r, -1, 5(t))// 2 (t, -1, 5(r)) G rJf[[r]] and 
^(r) - /3(t,-1,S(t))// 2 (t,-1,S(t)) G rif[[r]]. By Lemma 4.1, V = S'oU, 
where S'(t) is the power series expansion for — Z/Y" in the curve E 1 . Thus 

I(T(f))=T'(U(f)). (5.1) 

By Lemma 2.1, this equation proves that U is a homomorphism of formal group 
laws. 

If 7l,7 2 G Isog(_E, E'), and if U\,XJ 2 G Hom(.F, 7") are the corresponding 
homomorphisms of formal group laws then on the elliptic curve E(L), 

(7i+/ 2 )(t,-1,S(t)) 

= 7i (r, -1, S(t)) + 7 2 (t, -1, S(r)) by definition of h + 7 2 

= T'(f/ 1 )+T'(f/ 2 ) by (5.1) 

= r{F , {U u U 2 )) by (4.7). 

On the other hand, if 7i + 7 2 corresponds to [7 3 then 

(I 1 +I 2 )(t,-1,S(t))=T'(U 3 ). 

Since T" is one-to-one, U3 — F'(U\, U 2 ) = U\®f' U 2 . This shows that the map 
1 1 ^ U is a group homomorphism. 

Finally, \i I : E —* E' , V : E' —* E" correspond to [/, U', respectively, then 
since U is the unique solution in t7T[[t]] to I o T = T' o U, 

I' o I o T = I' o T' o U = T" o U' o U, 

whence I' o 7 corresponds to U' oU. □ 



Example 5.2 Let F be the formal group law over R associated to an elliptic 
curve E with Weierstrass equation (4.1), where the coefficients ai G R, and R 
is an integral domain. We will compute [— 1]f- Let g e ri?[[r]]. By Proposi- 
tion 4.2(a), 

[-l] E T(g) = [-l] E (g, -1, S o g) = (- ~ g ,-1, ~ Sog ) 

\l-aig-a 3 Sog 1 - ai g - a 3 S o g ) 

The right side is T(-g/(l 
implies 

Mb = J 

a 

An isogeny I : E — > E' is called separable if it has the property: if t' is 
a uniformizcr at the origin of E' then t' o 7 is a uniformizer at the origin of 
J£. This definition docs not depend on the choice of uniformizer t' . An isogeny 
which is not separable is called inseparable. In characteristic zero, all isogenies 
are separable. In characteristic p, the Frobenius is not separable, since it carries 
uniformizers into pth powers of uniformizers. It is a theorem ([7], II. 2. 12) that 
every isogeny can be factored as <Pp from E into E^ (q = p k ) composed with a 
separable isogeny from E^ into E'. 

Lemma 5.3 Let I be an isogeny from E to E' and let U{t) = ^UiT 1 be the 
corresponding homomorphism between the formal group laws. I is separable iff 
ui ^0. 

Proof. Let t' be the function — X/Y e K(E'). U is the power series expansion 
oft'ol with respect to the uniformizer t = —X/Y e K{E). Thus t' o I is not a 
uniformizer at the identity of E iff t' o I g M^ Q 1 ^ iff u\ = 0. □ 

Example 5.4 Let £ be an elliptic curve whose Weierstrass coefficients ai belong 
to a field K of characteristic p > 0, and let F be its associated formal group law. 
Let E^ be the elliptic curve with Weierstrass coefficients a\. Then the Frobenius 
map tp p : E -> £<p) defined by <^(A,F,Z) = (AP,y^,ZP) corresponds to the 
homomorphism of formal group laws <f> — t p : F — > . □ 

6 Height of an elliptic curve 

We begin this section with some facts about elliptic curves over finite fields. If 
a : E — > E' is an isogeny, define a*K{E') = { f o a | / e X(i?')}; this is a 
subfield of K(E). The degree of an isogeny a : — > _E' is the index of a*K(E') 
in K(E). This number is finite because both fields have transcendence degree 1 
and a is a nonconstant map. If K has characteristic p then the Frobenius isogeny 
ip p {X, Y, Z) = (XP, YP, ZP) from E into has degree p. Here £^ is the curve 



— a\g — a 3 S o g)J by Lemma 4.1. Now Lemma 2.1 

oo 

— o = ~T E(«1 T + a 3^)"- 



whose Weierstrass equation is obtained from that of E by raising the coefficients 
to the pth power. 

Every isogeny a : E — > E' has a dual isogeny a : E' — > E. The dual isogcny 
is characterized by the property that a o a = [deg(a)]_E' and ao a ~ [deg(a)]s, 
where [u]e denotes multiplication by n. If E = E' , then there is an integer a(a), 
called the trace of a, such that a + a = [a(a)]E- The endomorphism a satisfies 
the quadratic equation 

a 2 - [a{a)]a + [dcg(a)] = in End(E'). 

In particular, if K has q elements then there is t £ Z such that 

if 2 q - [t] Vq + [q] = 0. 

The integer t is called the trace of Frobenius. It is well known ([7], Ch. 5) 
that \t\ < 2^/q and the cardinality of E(K) is q + 1 — t. 

The height of a formal group law was defined in §3. Naturally, the height of 
an elliptic curve is defined to be the height of the associated formal group law. 

Proposition 6.1 An elliptic curve over a field of characteristic p, where p > 0, 
has height one or two. 

Proof. Let (p p : E -> be the pth power Frobenius and (p p : E^ — > E its dual. 
Let F be the formal group law associated to E, and let V(r) = v i T * '■ ~^ F 
be the homomorphism of formal group laws associated to ip p . Then [p]p = V(t p ). 
If ipp is separable then v\ ^ 0, so E has height one. If (p v is inseparable, it can be 
written as a composition of a power of ip p and a separable isogeny ([7], Corollary 
II. 2. 12). Since the degree of (p v equals the degree of ip p , only one power of ip p 
can occur in this decomposition. Thus ip p = a o ip p with a an isomorphism. Let 
A = ^2 air' 1 be the power series corresponding to a and let A' be the power series 
corresponding to a -1 . Then [p]e = A(t p ) = a\T v + and a\ ^ because 
A o A'(t) = t. In this case E has height two. □ 
An elliptic curve in characteristic p of height one is called ordinary. An 
elliptic curve in characteristic p of height 2 is called supersingular. The next 
lemma gives another characterization of supersingular and ordinary curves when 
the underlying field is finite. 

Proposition 6.2 An elliptic curve E over a finite field K with q = p n elements 
is supersingular iff p divides the trace of Frobenius iff \E(K)\ = 1 mod p. If E is 
supersingular and n is even then \E(K)\ = q + 1 + rn^/q, m £ { —2, —1, 0, 1, 2 }. 
If E is supersingular, n is odd, and p > 5, then \E(K)\ = q + 1. If E is supersin- 
gular, n is odd, and p < 3 then \E{K)\ = q + 1 + m^/pq, where m £ { —1, 0,1}. 

For a more precise statement about which values of \E(K)\ can occur, the 
reader may consult [8], Theorem 4.1. 



Proof. As above, let F be the formal group law corresponding to E and V : 
pip) p the homomorphism of formal group laws corresponding to tp p . In 
other words, V is defined by [p] F = V(t p ). Recall that E^ denotes the elliptic 
curve whose Weierstrass equation is obtained by taking the pth powers of the 
Weierstrass coefficients for E, and we use similar notation for isogenies. Now 
<^(p fc ) : p(p k+1 ) p(v k ) is the dual of the map tp p : -» £(?> fc+1 ), so 

<p p ° ffi o ■ ■ ■ o tp<P n 
is the dual of y>™. The corresponding formal group law homomorphism is 

jv(v) = Vo^ o •• -o v (pn_1) . 

Let i be the trace of Frobenius, so that = q+l — t. Since [t]E is the sum 

of ifip and its dual in End(_E), it follows that 

[t] F = N(V) ®ft p " = F(N(V) lT pn ). 

If E is supersingular then V has height one, so N(V) has height ra. In that case, 
[t] F has height at least n, so [t 2 ]F has height at least 2n. Since the height of F is 
two in this case, Prop. 3.3(e) implies t 2 is divisible by p n . Since \t\ < 2^/q and g|t 2 , 
we deduce that t 2 e { 0, 2q, 3g, Aq }. Since f e Z, we find f e { 0, ±q 1/2 , ±2q 1 / 2 } 
if n is even; i = if n is odd and p > 3; t € { 0, ±^/2q } if n is odd and p = 2, 
t e { 0, iv 7 ^} if n is odd and p — 3. Since )| = g + 1 — t, the cardinality 
of E(K ) must be of the form stated. 

Next suppose is ordinary. Then N(V^) has height zero, so [t] F has height 
zero. In that case Prop. 3.3(e) implies t is prime to p. □ 

Proposition 6.3 If E is an ordinary elliptic curve defined over a field K of 
cardinality p n and F is its associated formal group law then the trace of the 
Frobenius endomorphism is equal mod p to the norm from K to F p of the first 
nonzero coefficient of [p] F . 

Proof. Let \K\ = p n = q. The homomorphism of F associated to tp 2 + [— t]Ef q + 
[q]E is zero, thus each of its coefficients is zero. Now ip q corresponds to the power 
series r 9 , and [— t]s corresponds to a power series of the form — tr + t 2 (- • •), 
therefore f 2 + [—t] F o ip q corresponds to F(r q , — tr q + r 2q (- ■ •)), which is of the 
form -tT q +T 2c i(- ■ •)• Finally, we evaluate [q] F . Let <f> = t p . Since (poV = V^o<f>, 

[q] F = (V o 4>) n = V o V {p) o • • • o V (p " _1) ocf) n = (N K/Fp (v)t + (• • -)t 2 ) o T q , 
so [q] F = N K/Fp (v)T q + (r 2q )(- ■ •). Thus 

= F (-tr q + r 2q {- ■ •), N k/f »t* + r 2q {- ■ •)) = (-t + N k/f »)t<? +T 2q (- ■ •). 



□ 



7 Some theorems of Couveignes 



Let R be an integral domain of characteristic p. Let F p C R be the field with p 
elements if p is prime, and F p = Z if p = 0. Let 

i,3 i,3 

be two formal group laws over R, and let U(t) = Y^iLi u i T% *= T ^[[ r ]] be a ho- 
momorphism from F to F'. Couveignes proved with an elementary argument in 
his PhD thesis that the coefficients Ui satisfy some simple relations over R. He 
used these relations to compute the orders of elliptic curves over finite fields of 
small characteristic (see [2] and [6]). In [1] it is shown that Couveignes' method is 
closely related to the modified Schoof algorithm which was developed by Atkins 
and Elkies; see [5] and its bibliography. In this section we state and prove Cou- 
veignes' theorems. In the next section we prove related results which are used in 
[!]■ 

Theorem 7.1 Let i be a positive integer which is not a power of p. If p = 
assume (^J is a unit in R for some 1 < m < i. There is a polynomial Cj in 
several variables with coefficients in F p such that for each F,F',U as above we 
have 

u, = C l {u J , f k e,fke\l<j<i,l<k + l<i). 

Proof. Let A be transcendental and work in the integral domain R[A\. Since U 
is a homomorphism, 

U(F(t,At))=F'(U(t),U(At)). 

By (1.2) there are power series G, G G R[[X, Y}} such that F(X, Y)=X + Y + 
XYG(X, Y) and F'(X, Y) = X + Y + XYG'(X, Y). Therefore 

Uj(t + At + At 2 G{t, At))* = 

J2 u j t3 +J2 u ^ Ar y +U(t)U(At)G'(U(t),U(At)). 
This can be rewritten 

0=^UjT j {(1 + A + AtG(t, Ar)y - (1 + A j )} 

OC OO OO OC 

- At 2 (£ u j+1 T>)(£ "i+i^^'C u^ArY). 

3=0 3=0 j=l j=l 

The coefficient of is of the form Uj{(l + A) 1 - (1 + A 1 )} + M { , where M t is 
a polynomial in A, ui, Ui, . . . , and in some of the coefficients of G, G' . This 
gives the relation 

u i {{l + A) i -{l + A i )}-M i = Q. 



The hypothesis that i is not a power of p implies (1 + A) 1 ^ 1 + A 1 . If p = 
choose m such that (^) is a unit in R, and if p > let m be a positive integer 
such that the coefficient of A m is nonzero in the polynomial (1 + A) 1 — (1 + A 1 ). 
In characteristic p this coefficient is a unit in R because it is a nonzero element 
of the prime field F p . Since A is transcendental, the coefficient of A m in our 
relation must be identically zero. This coefficient gives our desired formula for 
Ui in terms of the Uj and the coefficients of F and F' . □ 
The next theorem accounts for the Ui when i is a power of p. It was proved 
by Couveignes for formal group laws associated to ordinary elliptic curves, but 
his argument generalizes easily to formal group laws of any height. 

Theorem 7.2 Let i be a power of a prime p and let h > 0. There is a polynomial 
Ci in several variables with coefficients in F p such that: if F — ^ fkiX k Y l 
and F' = ^2 f'^X^Y 1 are formal group laws of height h over a domain R of 
characteristic p and U = ^ujt^ ■ F —* F' a homomorphism then 

v'iu] - v\ Ui = Ci(uj,fkt, f'ki\j<hk + £<qi) 

where q = p h and v\ , v[ are the first nonzero coefficients of the power series [p]f, 
[p]f> , respectively. 

Proof. By Prop. 3.2 we can write = V o 4> h (T) = V(r q ), where V(r) = 

VjT^ is a homomorphism of height zero from F^ to F'. It is easy to show by 
induction on n that for n > the jth coefficient of [n]p is a polynomial in the 
fki with k + 1 < j. Since Vj is the j^th coefficient of [p]f, Vj is a polynomial in 
the fke with k + 1 < jq. Similarly \p\pi = V o cj> h , V'(r) = v 'j T ^ anc ^ v 'j 1S a 
polynomial in the f' ke with k + I < jq. Since [p]f' ° U = U o [p]f, 

v'{u{Ty) = u(v{T«)). 

Let a = r q . The left side is 

oo oo 

i=i j=i 

and the coefficient of a 1 is of the form v[u^ plus terms involving Uj for j < i and 
v 'j for j < i- The right side is 

MJ2 v ^ + M2 £ ^ <jj ) 2 + " " " + Ul £ w i° J ') < + ■ ■ ■ ■ 

3 3 3 

This time the coefficient of o % is of the form Ui(vi) 1 plus terms involving Uj for 
j < i and Uj for j < i. By equating the two sides we get v[uf — equals a 
polynomial in the Uj for I < j < i and the fj, for I < j < i. □ 



8 Further results relating to Couveignes' theorems 



Fix the following notation throughout this section. Let R be an integral domain 
of characteristic p > 0, F and F' formal group laws of height h over R, and 
q = p h . Let C\, C2, ■ ■ ■ denote Couveignes' relations given in §7 evaluated at the 
coefficients of F, F' but leaving the Ui as indeterminates; thus Ci G R[Xi, . . . , Xi] 
and Ci = Xi+ a certain polynomial in X\, . . . , if i is not a power of p; 

Ci = v[X? — v \Xi+ a certain polynomial in X±, . . . , Xi-\ if i is a power of p. 
Here the v% and v[ lie in i?, since they are polynomials in the coefficients of F 
and F', respectively. Couveignes' theorems assert that if ^ u i T% € Hom(F, F') 
then d(ui, . . . ,Ui) — for all i. Let K denote the separable algebraic closure of 
the quotient field of R. 

Lemma 8.1 There are exactly q n solutions (ui, . . . ,u p n-i) with u% G K to the 
first p n — 1 of Couveignes ' relations. 

Proof. For each solution (w\, . . . , to the first i— 1 of Couveignes' equations 

over K there are q values or 1 value of Wi such that (w\, . . . ,Wi) is a solution 
to the ith relation, according as i is or is not a power of p. (To see that the q 
solutions for wt are distinct when i is a power of p, note that the derivative with 
respect to Xi of d is v\, which is nonzero.) The lemma now follows easily by 
induction on n. □ 



Theorem 8.2 Ifu\,U2, ■ ■ ■ is a solution to Couveignes' relations then ^u-it 1 € 
Hom(F, F'). 

Proof. Without loss of generality we can replace R by K. In Chapter III, §2 of [3] 
it is shown that Hom(F, F') is free over Z p of rank h 2 and p n Hom(F, F') is the 
set of homomorphisms with height > nh. (In fact, it is shown that Hom(_F, F') is 
the maximal order of a central division algebra over Q p of rank h 2 and invariant 
1/h, but we do not need this here.) It follows that a complete set of Z p -module 
generators U\ , . . . , can be found such that the height of each generator is 
less than h, and if c id has height > nh for some a € Z p then each a is 
divisible by p n . If U, U' e Hom(F, F') and U = U' mod deg q n (meaning that 
the ith coefficient of U and U' coincide for all i < q n ) then 

= F'(U', [-1] F , o U') = F'(U, [-1] F , oU') = U Q F , U' mod deg q n , 

so U Qf' U' has height > nh, and it is therefore divisible by p n . Thus ^ c iUi = 
J2 c iUi m od deg q n (ci,^ <E Z p ) implies c, = c- mod p™. This shows that the 
number of distinct elements Yll^ 1 u i T% which are truncations of power series in 
Hom(F, F') is the cardinality of {Z/p n Z) h , which is q . Each truncation gives 
rise to a solution (m, . . . , of the first q n — 1 of Couveignes' relations. Since 

this coincides with the total number of solutions, each solution of Couveignes' 
relation arises from Hom(F, F'). □ 



Corollary 8.3 If h = 1 and if Hom(_F, F') contains a homomorphism (with co- 
efficients in R) of height k then all the solutions (i>i,i>2> • • •) in K to Couveignes' 
relations for which Vi — for i < p k actually lie in R. 

Proof. Let U be the homomorphism of height k and Z p • U — {c- U\c E Z p }. 
As mentioned in the previous proof, Hom(F, F') = Z p , and it is generated by 
a homomorphism Uq of height zero. Find a £ Z p such that U — a ■ Uq. Since 
ht(a • Uq) = v p (a), v p (a) = k. Thus Z p ■ U — Z p a ■ Uq = p k Z p ■ Uq. Since U 
is defined over R, so is c • U for each c <E Z p . Thus every element of p k Z p ■ Uq 
has coefficients in R. The coefficients of such elements are precisely the solutions 
(vi,V2, ■ ■ •) to Couveignes' relations which have Vi = for all i < p k — 1. □ 
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